From a99a48c6d874d01588d34f07b4713d248dfb3dfa Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 10 Oct 2024 20:04:12 +0200 Subject: [PATCH] Prefer bubblewrap for network isolation Bubblewrap is another tool for unsharing namespaces. It sets up a network namespace with a disconnected loopback. Fixes: #472 Signed-off-by: Christian Heimes --- .github/workflows/test.yaml | 6 ++++++ src/fromager/__main__.py | 2 +- src/fromager/external_commands.py | 17 ++++++++++------- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 787226e70..028c71d24 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -38,6 +38,12 @@ jobs: default: true override: true + - name: install bwrap + if: matrix.os == 'ubuntu-latest' + run: | + sudo apt-get update + sudo apt-get -y install bubblewrap + - name: Install dependencies run: python -m pip install tox diff --git a/src/fromager/__main__.py b/src/fromager/__main__.py index c92af2d81..4f90161f8 100644 --- a/src/fromager/__main__.py +++ b/src/fromager/__main__.py @@ -124,7 +124,7 @@ @click.option( "--network-isolation/--no-network-isolation", default=SUPPORTS_NETWORK_ISOLATION, - help="Build sdist and wheen with network isolation (unshare -cn)", + help="Build sdist and wheen with network isolation (bwrap, unshare -nr)", show_default=True, ) @click.pass_context diff --git a/src/fromager/external_commands.py b/src/fromager/external_commands.py index 65e5d338a..39aa31f2a 100644 --- a/src/fromager/external_commands.py +++ b/src/fromager/external_commands.py @@ -9,9 +9,12 @@ logger = logging.getLogger(__name__) -NETWORK_ISOLATION: list[str] | None +NETWORK_ISOLATION: list[list[str]] | None if sys.platform == "linux": - NETWORK_ISOLATION = ["unshare", "--net", "--map-current-user"] + NETWORK_ISOLATION = [ + ["bwrap", "--unshare-network", "--dev-bind", "/", "/", "--"], + ["unshare", "--net", "--map-current-user"], + ] else: NETWORK_ISOLATION = None @@ -22,11 +25,11 @@ def network_isolation_cmd() -> typing.Sequence[str]: Raises ValueError when network isolation is not supported Returns: command list to run a process with network isolation """ - if sys.platform == "linux": - unshare = shutil.which("unshare") - if unshare is not None: - return [unshare, "--net", "--map-current-user"] - raise ValueError("Linux system without 'unshare' command") + if NETWORK_ISOLATION is not None: + for cmd in NETWORK_ISOLATION: + if shutil.which(cmd[0]): + return cmd + raise ValueError("Linux system without network isolation support") raise ValueError(f"unsupported platform {sys.platform}")